Information Security

ISO 27005: Information Security Risk Management That Holds Up Under Audit

Standarity Editorial Team·ISO 27005 Lead Risk Managers
··8 min read

ISO 27005:2022 is the guidance standard for information security risk management within an ISO 27001 ISMS. The 2022 revision aligned the standard more closely with ISO 31000's broader risk management vocabulary, sharpened the scenario-based risk analysis approach that practitioners had been informally using for years, and provided more concrete worked examples than its predecessors. Used as substantive methodology it raises the quality of an ISMS's risk assessment significantly. Used as a documentation reference for the auditor's sake it adds workload without value.

Why ISO 27001's Risk Process Needs Methodology

ISO 27001 requires an organisation to establish a risk assessment process, perform risk assessments, treat the identified risks, and review the results periodically. The standard is deliberately silent on methodology — it does not specify whether the organisation should use asset-based, scenario-based, or process-based analysis, what scoring scheme to use, or how to weight likelihood against impact. The organisation must choose, document, and apply a methodology consistently. ISO 27005 is the standard that fills the methodological gap, and the absence of methodology is one of the more common audit nonconformities raised against under-developed ISMSs.

Scenario-Based Versus Asset-Based Analysis

ISO 27005:2022 makes the scenario-based approach explicit and presents it as the more useful complement to asset enumeration. Asset-based analysis catalogues assets and considers what could happen to each — comprehensive but generic. Scenario-based analysis constructs concrete attack and failure scenarios (ransomware encrypts production systems; credentials are stolen via phishing and used to access customer data; a critical vendor suffers an outage and our service degrades; an insider exfiltrates source code) and assesses likelihood and impact for each. Scenarios are easier to reason about, easier to communicate to executives, and more actionable for treatment decisions. Strong ISMS risk assessments use both — assets to ensure comprehensiveness, scenarios to drive analysis quality.

Risk Criteria That Mean Something

The risk criteria — the rules that determine what counts as low, medium, high, or critical — are the most consequential design decisions in the risk methodology. Criteria that are too lenient produce risk assessments where nothing rises above medium, treatment decisions are uniformly "accept," and the ISMS does not actually change anything. Criteria that are too strict produce assessments where most risks score high, treatment becomes unprioritisable, and the organisation runs out of treatment capacity. The criteria need to reflect organisational risk appetite genuinely — anchored to consequences the executive team would actually want to avoid — rather than being designed for the convenience of the assessment exercise.

A pattern in ISO 27001 audit findings: the risk methodology is documented, the risk register exists, and the assessment was conducted. The auditor finds that nothing in the register scored above medium, no treatment was triggered by the assessment, and the same assessment from three years ago produced the same scores against a materially different threat environment. The methodology and the register satisfy the documentation requirement; they evidence no actual risk management. ISO 27005 used substantively produces a different assessment, not just better documentation.

Treatment Beyond Mitigate

ISO 27005 treats the four risk treatment options explicitly — modify (apply controls to reduce risk), retain (accept the risk at its current level), avoid (eliminate the risk source), and share (transfer some of the risk to insurance or a third party). Most ISMS implementations default to modify as the treatment for most identified risks, and produce a Statement of Applicability that justifies every Annex A control as in scope. Mature programmes use the other treatment options where they fit — retaining low-impact risks explicitly rather than implementing disproportionate controls, sharing some risk through cyber insurance with documented decisions about coverage and exclusions, avoiding certain risks by exiting particular activities. The treatment diversity reflects genuine risk management rather than reflexive control application.

Components of an ISO 27005 Implementation That Adds Value

  • Risk criteria anchored to genuine organisational risk appetite, not designed for assessment convenience
  • Both asset-based and scenario-based analysis — comprehensiveness through assets, depth through scenarios
  • Scenarios that reflect the actual threat environment, refreshed as the environment changes
  • Treatment decisions across all four options, not reflexive modify for everything
  • Residual risk acceptance by executives with appropriate authority, documented and dated
  • Periodic risk review tied to material change rather than calendar cadence alone
  • Integration with the broader enterprise risk register where one exists
  • Risk reporting that drives operational and executive decisions rather than satisfying the audit

The Distinction That Matters

The distinction between a risk register that satisfies the auditor and a risk register that drives the organisation is the most important quality marker for an ISMS. ISO 27005, used as substantive methodology, helps produce the latter. The work is not heavier than the documentation-driven version — it is differently focused, with effort spent on analysis quality and treatment decisions rather than on form-filling. The ISMS that emerges is one the organisation actually uses, and that is the ISMS that produces the security outcomes the standard was designed to enable.

Explore Courses on Udemy

Intermediate

ISO 31010:2019 - 30+ Risk Assessment Techniques Explained

Intermediate

ISO 27001:2022 Implementation Step by Step with Templates

Intermediate

ISO 27005:2022 Manage Information Security Risk Step by Step